matchboxbananasynergy

How do I validate apps?

In an attempt to get Accrescent, I came across this:
https://github.com/accrescent/accrescent
which simply validates the apk via SHA-256 signing certificate hash.
1) O.K..... which hashing program is recommended for this?
2) Is it included somewhere with GrapheneOS?

PGP/GPG was the standard for validating checksums on some OS's. This article suggests an approach:

https://www.privacyguides.org/android/?h=hash#verifying-apk-fingerprints

3) So what are folks around here doing?

TIA

    dirksche It is in early alpha. Currently, only whitelisted developers can submit their apps in order to iron out the kinks, but once it's out of alpha, a lot more apps will make it in. Currently, it's more of a "have it installed and use it as apps you want are made available through it" rather than a "install it and get all your apps from there" situation.

    I like the idea of downloading APKs directly and using an RSS reader to manually update.

    Question - how would you thoroughly search for an APK file if it wasn't in the assets in a GitHub repository? All I can think of is looking at the software's website (if applicable) and doing a search for the APK from official sources. Is there any other way to find APKs without an app store?

      FreshStart for projects that don't provide their own APK in the repo, I usually track them anyway and grab them from F-droid once available. I would prefer to build them myself, but I don't have the time to deal with that right now. Too many projects on the go and too little time.

      newbie24689

      which hashing program is recommended for this?

      apkverifier works, although there are some Android apps that can do the same. apkverifier is what Accrescent officially recommends.

      Is it included somewhere with GrapheneOS?

      No, but signing certificate information is planned to be included under the app info in Settings.

      That article shows you how to verify the certificate hashes with apkverifier.

      There's this article that has more details on this topic.

      https://privsec.dev/posts/android/android-tips/#where-to-get-your-applications

      Particularly want to point out this part

      That being said, [Aurora Store] lacks security features like certificate pinning and does not support Play Asset Delivery.

      Curious does anyone know whether downloading apks directly from Github also lacks certificate pinning? Is this an important security vulnerability?

        kopolee11

        Certificate pinning is a way to let an app know the remote server's expected certificate, basically. You can read about it here: https://developer.android.com/training/articles/security-ssl. I've read somewhere that Google doesn't really suggest devs use certificate pinning for a number of reasons. One big reason is OSs and apps already have a list of CAs (certificate authorities) that are trustworthy and help verify the authenticity of a website's own certificate.

        Browsers check certificates to make sure they're legit. So, if someone tried to stage a man in the middle attack to get you to install a malicious apk, you'd still see very obvious warnings in your browser.

        Internally, apps will throw errors if they try to access a website and something about the certificate is off, so Aurora doesn't really need certificate pinning. It also doesn't make sense for them to use certificate pinning. Why? Because they're not Google and won't know ahead of time if Google plans on making a change that'll break their app.

        So, no, using Aurora and installing apps from Github aren't really dangerous.

        FreshStart

        As a noob, for me this one was useful and easy to understand.
        Go to the big brother video site and search for the channel Side Of Burritos, then the video "You should use this instead of F-Droid | How to use app RSS feed", he is a 100% "add on" for this forum and original side GrapheneOs, he explain with video context a lot of info.

        11 days later

        Hello!

        I read a lot about Obtanium app as a replacement for F-Droid. In your opinion/experience - is that app trustworthy enough to use it with GOS? Also, the app description says that installs happen asynchronously. What does that mean exactly and did you run into problems with GOS?

          wojon is that app trustworthy enough to use it with GOS?

          Quickly looking at the app's Github repository, it does appear they're really getting releases from Github. I didn't check other app sources.

          I haven't actually used Obtainium, but I plan to eventually. Based on the code I checked it looks trustworthy to me.

          wojon Also, the app description says that installs happen asynchronously. What does that mean exactly and did you run into problems with GOS?

          Based on what they said in the readme and a comment in the code it just means that they can't follow the status of the install. Looking at the Flutter plugin they're using it's true there's no code to wait and see if the app installs successfully, just if the OS accepts the install request and prompts the user.

          This shouldn't cause anyone any problems as far as I can tell. If there's a problem, the app just won't install and the OS will notify you of the reason. When you relaunch Obtanium, it'll scan your installed apps again so if the install failed, you can try again.

          a year later

          If you install apps in User Profile. Will that app then be available in Owner Profile too? How to activate and install that app?

            PMUSR If you install apps in User Profile. Will that app then be available in Owner Profile too?

            It would not be "installed' in the owner profile.

            PMUSR How to activate and install that app?

            The easiest way would be to install the app again in the Owner profile.

            Or it would probably be easier to install first in the Owner profile then push the app from the owner profile to the other secondary user in Settings > System > Multiple users > *profile name* > Install available apps.

            a year later

            Not much activity in here recently, but I feel this is the best place to ask another noob question.
            I started installing apps inconsistently, (some APKs from developers websites, some from github, others through Accrescent, f-droid, or aurora). Now as I get more into it, I start realizing that hasn't been the smartest idea, as it makes it difficult to track what apps are up to date and which arent. Is there any fast way to see what is the source of an installed app? If not, any recommendation what would be the fastest way to set up such an overview?

              aop without 3rd party tools, you can find out the source in the app info of an app (long press on an icon and tap "App Info") at the bottom of the page, just above the version tag.

                aop f not, any recommendation what would be the fastest way to set up such an overview?

                Obtainium exists to solve exactly this problem, but it will take some work for you to setup initially.

                  Probably9857 - as I understand the use case for obtainium, it is aiming to show you about updates to run from apps that are installed through a source that does not provide auto updates (like e.g. f-droid or aurora). so for this to be useful, i first would have to go down the path splattergames mentioned in his last comment and sort out for what apps I can rely on the app stores (f-droid, aurora) and for what I would have to set obtainium. am I right?
                  thank you both for your input :-)

                    aop as I understand the use case for obtainium, it is aiming to show you about updates to run from apps that are installed through a source that does not provide auto updates

                    Right. It would be mainly for apps that don't have some other way of auto-updating or notifying you.

                    You would still need to review everything you have already installed to identify which apps to configure in Obtainium.

                    • aop likes this.

                    Thank you so much everyone for their input. Already watched the video, got obtainium and established an overview.

                    Since I am not installing Google Play on my main profile, I am looking for another way of having a secure way of installing files, yet still profit from automated updates. Reading through all the documentations, it's all about tradeoffs and threat model, which makes it hard to assess as a beginner (e.g. Google Play Store Security vs Privacy).

                    Would it be unreasonable to proceed as follows (ranked):

                    1. Install from Playstore whenever Google Play Services has to activated on a profile as it's needed anyway, e.g. banking apps profiting from highest security --> a drawback on privacy is okay here)
                    2. Initial install directly from GitHub or Provider Website (trusted source) in combination with Obtainium (automated updates) and AppVerifier --> here i'd have increased privacy as no Google Play Service with security managed with trusted source/obtainium/appverifier.
                    3. Only use f-droid (apparently new versions are available relatively late) and Aurora as a third priority -> (here i'd have automated updates but lower security (over Google Play) but better privacy (over Google Play)